Risk and Its Impact on Security Within the Cloud - Part 2

In Part 1 we discussed risk, security and cloud computing at a high level. Having been a part of design teams as a contributor as well as project manager to include security and assessment team management over the last few years, I still find the same security concerns and issues directed at the cloud. Here is my take on a few of them with respect to a private cloud environment. Remember a private cloud can be housed within the infrastructure of a service provider (more cost effective for you) or within your own in-house network. Some of these thoughts can be translated into the public cloud environments, although some additional controls may be in order.

It's a given that security of data is a major concern for any entity considering a move toward a cloud computing environment. How your data will be kept secure from unauthorized access, modification or distribution can be a nagging concern. Data loss, modification, or misplacement will affect the entire organizational structure up to and possibly including shareholder value.

Major cloud providers therefore are going to great lengths these days to ensure that there are essential mitigative controls and response processes in place in the event of a security breach, which in most instances will include their client either actively or passively with updates in a predefined time-frame.

Some of these updates can include alerting, centralized logging, smart monitoring (not just signature-based events), and observing traffic to and from the client location into their private cloud environment. They will typically have processes are in place whereby all these systems are auditable and are aligned to established industry standards and aligned with emergency change management protocols.

One thing that I like to look at is a service provider's security policy (which is typically based off the ISO 27000 series) as well as an independent auditor's SAS 70 report. The SAS 70 report for example will identify and test that controls are in place to secure both the physical and logical environments, test access control privileges, test backup and recovery as well as a data protection at rest to name a few. One thing that is important here is getting clarification as to how data in motion is secured going into the cloud from the client's site as well as how the CSP provisions user rights and manage administrative access.

However, before transferring data to the cloud some things you should ask yourself are: Have you identified classified and defined ownership of your data before considering a move to the cloud?

Once there is some structure and organization with regard to data classification and ownership you have taken a step to securing your data and assigned some control as you move to a private cloud. This combined with the implementation of the CSP's stringent controls can ensure that anyone accessing your data is identified, tracked and most important - auditable.

Always remember your CSP wants your business and in this light will endeavor to make you happy by the manner in which they manage your data as well as with the service they provide within this sphere.

CIO, CTO & Developer Resources

In almost all of my articles I have mentioned service level agreements. As cloud services mature, so will the SLAs implemented to protect your data. This will allow you to move your data without worrying about lock-in, incompatibility between CSPs or data loss; an assurance that will become common showing that CSPs are targeting all major areas of concern to earn your business and ensure the confidentiality, integrity and availability of your data.

In closing I wanted to share one question that I have been asked frequently, the one about hypervisor security and the potential of rootkit injection within this area, an attack that can possibly allow data exfiltration without a timely alert.

While there is always the possibility of a crack occurring in any one system, be assured that researchers and practitioners are constantly looking for ways to ensure the security of data.

With that said, I have seen the successful implementation of the Altor software firewall that for the VMware folks can be integrated via VMsafe application programming interfaces.

According to the manufacturer the firewall can see traffic as it moves through the hypervisor between virtual machines (VM) on the same physical host. This is a good baseline and will allow us to track and create auditable records for any notification of an unauthorized or suspicious event occurring.

For more on this hypervisor firewall and the hypervisor environments it can impact, see the VGW Series by Juniper Networks.

Jon RG Shende is an executive with over 18 years of industry experience. He commenced his career, in the medical arena, then moved into the Oil and Gas environment where he was introduced to SCADA and network technologies,also becoming certified in Industrial Pump and Valve repairs.
Jon gained global experience over his career working within several verticals to include pharma, medical sales and marketing services as well as within the technology services environment, eventually becoming the youngest VP of an international enterprise.
He is a graduate of the University of Oxford, holds a Masters certificate in Business Administration, as well as an MSc in IT Security, specializing in Computer Crime and Forensics with a thesis on security in the Cloud.
Jon, well versed with the technology startup and mid sized venture ecosystems, has contributed at the C and Senior Director level for former clients. As an IT Security Executive, Jon has experience with Virtualization,Strategy, Governance,Risk Management, Continuity and Compliance. He was an early adopter of web-services, web-based tools and successfully beta tested a remote assistance and support software for a major telecom.
Within the realm of sales, marketing and business development, Jon earned commendations for turnaround strategies within the services and pharma industry. For one pharma contract he was responsibe for bringing low performing districts up to number 1 rankings for consecutive quarters; as well as outperforming quotas from 125% up to 314%. Part of this was achieved by working closely with sales and marketing teams to ensure message and product placement were on point.
Professionally he is a Fellow of the BCS Chartered Institute for IT, an HITRUST Certified CSF Practitioner and holds the CITP and CRISC certifications.Jon Shende currently works as a Senior Director for a CSP.
A recognised thought Leader, Jon has been invited to speak for the SANs Institute, has spoken at Cloud Expo in New York as well as sat on a panel at Cloud Expo Santa Clara, and has been an Ernst and Young CPE conference speaker.
His personal blog is located at http://jonshende.blogspot.com/view/magazine
"We are what we repeatedly do. Excellence, therefore, is not an act, but a habit."

"Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...

In his session at 21st Cloud Expo, Carl J. Levine, Senior Technical Evangelist for NS1, will objectively discuss how DNS is used to solve Digital Transformation challenges in large SaaS applications, CDNs, AdTech platforms, and other demanding use cases. Carl J. Levine is the Senior Technical Evangelist for NS1. A veteran of the Internet Infrastructure space, he has over a decade of experience with startups, networking protocols and Internet infrastructure, combined with the unique ability to it...

While some developers care passionately about how data centers and clouds are architected, for most, it is only the end result that matters. To the majority of companies, technology exists to solve a business problem, and only delivers value when it is solving that problem. 2017 brings the mainstream adoption of containers for production workloads.
In his session at 21st Cloud Expo, Ben McCormack, VP of Operations at Evernote, discussed how data centers of the future will be managed, how the p...

"NetApp is known as a data management leader but we do a lot more than just data management on-prem with the data centers of our customers. We're also big in the hybrid cloud," explained Wes Talbert, Principal Architect at NetApp, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.

"We're focused on how to get some of the attributes that you would expect from an Amazon, Azure, Google, and doing that on-prem. We believe today that you can actually get those types of things done with certain architectures available in the market today," explained Steve Conner, VP of Sales at Cloudistics, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.

"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.

It is of utmost importance for the future success of WebRTC to ensure that interoperability is operational between web browsers and any WebRTC-compliant client. To be guaranteed as operational and effective, interoperability must be tested extensively by establishing WebRTC data and media connections between different web browsers running on different devices and operating systems.
In his session at WebRTC Summit at @ThingsExpo, Dr. Alex Gouaillard, CEO and Founder of CoSMo Software, presented ...

Enterprises are adopting Kubernetes to accelerate the development and the delivery of cloud-native applications. However, sharing a Kubernetes cluster between members of the same team can be challenging. And, sharing clusters across multiple teams is even harder.
Kubernetes offers several constructs to help implement segmentation and isolation. However, these primitives can be complex to understand and apply. As a result, it’s becoming common for enterprises to end up with several clusters. Thi...

"There's plenty of bandwidth out there but it's never in the right place. So what Cedexis does is uses data to work out the best pathways to get data from the origin to the person who wants to get it," explained Simon Jones, Evangelist and Head of Marketing at Cedexis, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.

WebRTC is great technology to build your own communication tools. It will be even more exciting experience it with advanced devices, such as a 360 Camera, 360 microphone, and a depth sensor camera. In his session at @ThingsExpo, Masashi Ganeko, a manager at INFOCOM Corporation, introduced two experimental projects from his team and what they learned from them. "Shotoku Tamago" uses the robot audition software HARK to track speakers in 360 video of a remote party. "Virtual Teleport" uses a multip...

"We work around really protecting the confidentiality of information, and by doing so we've developed implementations of encryption through a patented process that is known as superencipherment," explained Richard Blech, CEO of Secure Channels Inc., in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.

High-velocity engineering teams are applying not only continuous delivery processes, but also lessons in experimentation from established leaders like Amazon, Netflix, and Facebook. These companies have made experimentation a foundation for their release processes, allowing them to try out major feature releases and redesigns within smaller groups before making them broadly available.
In his session at 21st Cloud Expo, Brian Lucas, Senior Staff Engineer at Optimizely, discussed how by using ne...

The question before companies today is not whether to become intelligent, it’s a question of how and how fast. The key is to adopt and deploy an intelligent application strategy while simultaneously preparing to scale that intelligence. In her session at 21st Cloud Expo, Sangeeta Chakraborty, Chief Customer Officer at Ayasdi, provided a tactical framework to become a truly intelligent enterprise, including how to identify the right applications for AI, how to build a Center of Excellence to oper...

"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...

In his session at 21st Cloud Expo, James Henry, Co-CEO/CTO of Calgary Scientific Inc., introduced you to the challenges, solutions and benefits of training AI systems to solve visual problems with an emphasis on improving AIs with continuous training in the field. He explored applications in several industries and discussed technologies that allow the deployment of advanced visualization solutions to the cloud.

Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression.
In th...

SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY.
Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.

"We're developing a software that is based on the cloud environment and we are providing those services to corporations and the general public," explained Seungmin Kim, CEO/CTO of SM Systems Inc., in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.

Enterprises are moving to the cloud faster than most of us in security expected. CIOs are going from 0 to 100 in cloud adoption and leaving security teams in the dust. Once cloud is part of an enterprise stack, it’s unclear who has responsibility for the protection of applications, services, and data.
When cloud breaches occur, whether active compromise or a publicly accessible database, the blame must fall on both service providers and users.
In his session at 21st Cloud Expo, Ben Johnson, C...

SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY.
CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...

identify the sources of event storms and performance anomalies will require automated, real-time root-cause analysis.
I think Enterprise Management Associates said it well:
“The data and metrics collected at instrumentation points across the application ecosystem are essential to performance monitoring and root cause analysis.
However, analytics capable of transforming data and metrics into an application-focused report or dashboards are what separates actual application monitoring from relatively simple silo monitoring.

One problem that all developers and companies struggle with is trying to decide if they should "build it" or "buy it". Software developers love to build things. That is what we do! Their natural reaction tends to lean towards building things. We are also always up for a new challenge.
There are very good reasons for building or buying software. There are also good reasons to use open source projects, which is a third option.

These days, no matter what task you’re trying to accomplish within your online properties, chances are there’s at least one cloud solution that provides it. However, with so much of our personal and business data living now online, there’s perhaps no functionality more important than cloud security. With cyber attacks more prevalent than ever, it’s imperative that organizations – regardless of their size and scope – protect both themselves and their clients from nefarious individuals who prey on unsecured networks and data.

MongoDB, an open-source document store and most popular NoSQL database on the market today, offers a variety of advanced features to administer security over your MongoDB deployments. In this tutorial post, we’re going to show you how to set up role-based access control (RBAC) to manage user access across your MongoDB systems for reIndex, mongodump and mongorestore.
If you're the administrator of your MongoDB databases, you've likely received requests to provide an individual user with the capabilities to perform a certain action(s). MongoDB's security features are fairly mature now, and allo...

The benefits of automation are well documented; it increases productivity, cuts cost and minimizes errors. It eliminates repetitive manual tasks, freeing us up to be more innovative. By that logic, surely, we should automate everything possible, right? So, is attempting to automate everything a sensible - even feasible - goal? In a word: no.
Consider this your short guide as to what to automate and what not to automate.

The rule of thumb for network security today is that there is no perimeter anymore. An outsider can easily become an insider once perimeter security is breached. Every day, attackers find new ways to breach enterprise perimeter security through ransomware, malware or phishing through social engineering.
This is not to suggest that all is lost. Rather, organizations can defeat cybercriminals, in part, by better managing what has already been put in place. As an example of what can go wrong if that doesn’t happen, consider the following story.

Cavirin Systems has just announced C2, a SaaS offering designed to bring continuous security assessment and remediation to hybrid environments, containers, and data centers. Cavirin C2 is deployed within Amazon Web Services (AWS) and features a flexible licensing model for easy scalability and clear pay-as-you-go pricing.
Although native to AWS, it also supports assessment and remediation of virtual or container instances within Microsoft Azure, Google Cloud Platform (GCP), or on-premise. By drawing on a comprehensive library of curated industry guidelines, control frameworks, and best practi...

Let's do a visualization exercise. Imagine it's December 31, 2018, and you're ringing in the New Year with your friends and family. You think back on everything that you accomplished in the last year: your company's revenue is through the roof thanks to the success of your product, and you were promoted to Lead Developer. 2019 is poised to be an even bigger year for your company because you have the tools and insight to scale as quickly as demand requires. You're a happy human, and it's not just because of the bubbly in your glass.
Now how does one turn this visualization into reality? You st...

"Opsani helps the enterprise adopt containers, help them move their infrastructure into this modern world of DevOps, accelerate the delivery of new features into production, and really get them going on the container path," explained Ross Schibler, CEO of Opsani, and Peter Nickolov, CTO of Opsani, in this SYS-CON.tv interview at DevOps Summit at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.

Troubleshooting a problem on a remote server, especially in production, is not an easy task. Sometimes it involves debugging the application code directly on the server.
But the production servers are usually run in a strict environment, where not all convenient developer tools are available.
In this article, you'll discover how to configure a running web server and debug your application using standard facilities provided by the Java platform.

Developing mobile apps has never been an easy task. Creating a mobile app for iOS means owning strong programming skills about Objective-C or Swift and knowing their APIs. Android-based apps are not so different: you have to know Java and the Android Platform and its API.
The learning curve is not fast and it includes how to create nice and interactive user interfaces, connecting embedded features like GPS, camera, showing maps, images and so forth.

The nature of test environments is inherently temporary—you set up an environment, run through an automated test suite, and then tear down the environment. If you can reduce the cycle time for this process down to hours or minutes, then you may be able to cut your test environment budgets considerably.
The impact of cloud adoption on test environments is a valuable advancement in both cost savings and agility. The on-demand model takes advantage of public cloud APIs requiring only payment for the time needed to run automated tests. In this framework, success depends on two things: automated i...

BnkToTheFuture.com is the largest online investment platform for investing in FinTech, Bitcoin and Blockchain companies. We believe the future of finance looks very different from the past and we aim to invest and provide trading opportunities for qualifying investors that want to build a portfolio in the sector in compliance with international financial regulations.

Digital experience monitoring plays a vital role in the ecommerce economy. The industry is booming with millions of websites selling everything imaginable. Online stores are expected to be super fast and easy to navigate; users are quick to assess website performance and if said perceived performance is below expectations, they will quickly move on to competitor’s website.

The question before companies today is not whether to become intelligent, it’s a question of how and how fast. The key is to adopt and deploy an intelligent application strategy while simultaneously preparing to scale that intelligence. In her session at 21st Cloud Expo, Sangeeta Chakraborty, Chief Customer Officer at Ayasdi, provided a tactical framework to become a truly intelligent enterprise, including how to identify the right applications for AI, how to build a Center of Excellence to operationalize the intelligence and how to implement a strategy to scale efforts. She pulled from her ex...

Organizations around the world are struggling to cope with the current data explosion. A vital characteristic of this data is that it is unstructured and represents things like email, images, and videos. Storage of this form of data is typically in an object format which differs significantly from the database norm. Databases housed data grows very slowly because most of it is structured. Object storage formats are now being used to optimize access to large amounts of non-transactional files across a growing number of vertical markets.

"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.

The end of the year is a time for reflection. It’s when most of us are looking back at the choices, accomplishments, and mistakes of the year prior and setting goals to improve the following year. It’s also when businesses analyze the year’s trends and behaviors to determine necessary strategic changes to be made; however, if you aren’t analyzing the right metrics, such reflection is a useless effort.
Below is an excerpt from an article provided by Elad Rave, founder and CTO of Teridion, explaining why TTLB (Time to Last Byte) should be one of the performance metrics on your radar.

How much does it cost to make an app is almost as popular a question as it is confusing.
No one tries to learn the exact costs of, say, making a movie: people realize that there’s an overwhelming amount of variables involved on which they depend.
But almost every day a new inquiry is posted on a tech forum, Quora, or Reddit as to how much it’d take to build a mobile business app.

Cloud computing budgets worldwide are reaching into the hundreds of billions of dollars, and no organization can survive long without some sort of cloud migration strategy. Each month brings new announcements, use cases, and success stories.